CN115442380A - Transaction blocking method and device for intelligent contract vulnerability attack - Google Patents

Transaction blocking method and device for intelligent contract vulnerability attack Download PDF

Info

Publication number
CN115442380A
CN115442380A CN202211113706.XA CN202211113706A CN115442380A CN 115442380 A CN115442380 A CN 115442380A CN 202211113706 A CN202211113706 A CN 202211113706A CN 115442380 A CN115442380 A CN 115442380A
Authority
CN
China
Prior art keywords
transaction
contract
attack
address
deployment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211113706.XA
Other languages
Chinese (zh)
Inventor
王海林
朱建锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Anjie Information Security Technology Co ltd
Original Assignee
Hangzhou Anjie Information Security Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Anjie Information Security Technology Co ltd filed Critical Hangzhou Anjie Information Security Technology Co ltd
Priority to CN202211113706.XA priority Critical patent/CN115442380A/en
Publication of CN115442380A publication Critical patent/CN115442380A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/04Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Abstract

The invention discloses a transaction blocking method and a transaction blocking device for intelligent contract vulnerability attacks. By analyzing the transaction log data, the attack final profit address is located. The profit addresses are modified through replacement of intelligent contract deployment codes and authority control is bypassed, so that rapid attack recurrence and profit transfer are achieved by automatically utilizing original contracts of attackers. And finally, the constructed alternative transaction is preempted in the original transaction chain by using high miner cost, so that the blocking of attack transaction is realized, and the loss caused by intelligent contract vulnerability attack is reduced. The method has the advantages that the effective automatic transaction replacement strategy is provided, the direct utilization of attack logic in the attack contract is realized by replacing and modifying the authority control and the profit address in the original contract of an attacker, the specific logic in the attack transaction is not required to be identified, and the problems that the identification of the attack logic is inaccurate and the blocking of complex attack behaviors cannot be realized are solved.

Description

Transaction blocking method and device for intelligent contract vulnerability attack
Technical Field
The invention belongs to the field of information security, and particularly relates to a transaction blocking method and device for intelligent contract vulnerability attack.
Background
The Ethenhouse is a famous decentralized intelligent contract platform, and developers can conveniently develop and deploy decentralized application programs based on the Ethenhouse platform. Decentralized finance (defii) based on the ethernet intelligent contracts has evolved at a high rate since 2019. The continuously emerging decentralized financial projects utilize the characteristics of open, transparent and non-falsification of a block chain technology, provide a series of financial services such as exchange, loan and deposit and the like on the basis of the public intelligent contract codes, and construct a set of financial ecosystem which does not need to be relied on and trusted by a third party. The low trust cost and high revenue of decentralized financial systems quickly attract a large number of users.
The openness of the decentralized financial protocol means that the operation rule of the decentralized financial protocol is completely established by codes on a chain, but the codes always have bugs and defects, and the security of the property of the Defi user is always seriously threatened by the intelligent contract bugs. The "wild growth" decentralized financial field still does not pay enough attention to security. According to incomplete statistics, only from 1 month to 12 months in 2021, the number of attack events aiming at decentralized financial ecology exceeds 195, and the accumulated economic loss is billions of dollars.
In the traditional security field, existing security protection systems such as a firewall and an intrusion detection system can effectively detect and block attack behaviors, and loss caused by security vulnerabilities is reduced. However, in the field of blockchain security, no effective solution exists for how to effectively block attack transactions. The blocking of blockchain attack transactions on the basis of the technology in the traditional security field still has a plurality of problems, which are mainly reflected in the following aspects:
1) Failure to centrally deploy defense strategies
The traditional centralized information system can reduce the influence caused by the attack as much as possible by deploying an intrusion detection system and the like. But the ether house block chain is completely decentralized and blocks are packaged and broadcast by block producers all over the world. The block producer is only responsible for verifying the validity of the transaction and is not responsible for whether the transaction is an attack behavior, so that the defense strategy for the Defi attack cannot be uniformly deployed.
2) Problem of time limitation
The main target of the intelligent contract vulnerability attack is a decentralized financial (Defi) project on a chain, and an attacker utilizes potential vulnerabilities of a project contract to steal user assets in the project. Etherhouses allow for a large number of "internal transactions" to be involved in a single transaction, and in many cases, only a single transaction is required to complete the entire course of an attack. Once the secure ecological participant finds an anomaly, the attacker is likely to have "rolled money dive". Therefore, the time window for blocking the attack transaction is greatly limited, and the blocking can be finished only within seconds from the time when the attack transaction is broadcast to the memory pool to the time when the attack transaction is formally packaged into the block except for the discovery of the vulnerability by the prior audit. The time of a few seconds means that analysis cannot be done manually, and only algorithms can be used for automated analysis and blocking.
3) Lack of automated replacement transaction policy
The time constraints described above require that the attack block must be able to automate the construction of new transactions to replace the original attack transactions. Although the external invocation information and parameters of the attack contract can be easily obtained by pre-executing the attacker transaction, the parameters are often calculated by the current state of the acquired chain. If these parameters are simply copied, it is likely that the transaction replacement will fail once the location and time of the actual chain of transactions changes. The variety of the Defi attacks is various, various items lack uniform standards, and the semantics of the attack transactions are difficult to be accurately analyzed and positioned, so that the blocking of the attack transactions is difficult to realize.
4) Blocking cost problems
In an ethernet network, each transaction requires payment of a corresponding transaction fee based on the consumption of its computing resources. If the uplink transaction is blocked but the attack is not successfully blocked, a high transaction fee cost still needs to be paid.
Disclosure of Invention
When a user submits a transaction to the ethernet blockchain, the transaction needs to be sent to a specific global node first, and then the node broadcasts the transaction to the global network, and the blockmaker that received the transaction will package the transaction in the next blockchain, so that the transaction can be "uplinked". Thus, the transaction is delayed several seconds from being broadcast to the uplink. In order to reduce the loss caused by the DeFi attack, the attack transaction can be constructed by using the time window of several seconds, and the chain linking of an attacker is preempted, so that the blocking of the attack transaction is realized.
Based on the idea, the invention provides a transaction blocking method and a transaction blocking device for intelligent contract vulnerability attacks, and the final profit address of the attacks is positioned by analyzing transaction log data. The profit addresses are modified through replacing the intelligent contract deployment codes and authority control is bypassed, so that rapid attack recurrence and profit transfer are achieved automatically by original contracts of attackers. And finally, the constructed alternative transaction preempts the original transaction chain by using high transaction fee, so that the blocking of the attack transaction is realized, and the loss caused by the vulnerability attack of the intelligent contract is reduced. The specific technical scheme is as follows:
the invention discloses a transaction blocking method aiming at intelligent contract vulnerability attack,
receiving attack transactions in a memory pool provided by a blockchain node;
extracting log information in the attack transaction, and filtering out transfer events in the log information;
establishing a transaction fund transfer table according to the transfer event, and positioning the final fund inflow address as an attack profit address;
acquiring contract creation information of an intelligent contract called by an attack exchange;
replacing the contract deployment code and the address information in the deployment parameter according to the acquired contract creation information;
constructing a new contract deployment transaction and a call transaction using the replaced contract creation information;
deploying the new contract into a transaction and calling a transaction submitting block chain node to obtain an execution result of the transaction submitting block chain node;
if the execution result shows that the profit is transferred to the replaced address, broadcasting the constructed new contract deployment transaction and the call transaction to the block link points.
As a further improvement, the transfer events described in the present invention include basic asset transfers by transaction Value domain analysis and ERC-20 asset transfers by analysis of transfer events for ERC-20 asset specific Topic.
As a further improvement, the construction method of the transaction fund transfer table comprises the steps of traversing all transfer records in a transaction, counting the loss of a transferor in each transfer and counting the profit of the transferor; the contents of the transaction fund transfer table are profit and loss information of each address involved in the transaction.
As a further improvement, the method for positioning the final fund inflow address in the invention is to select one or more final asset inflow addresses from the transaction fund inflow table.
As a further improvement, the contract creation information described in the present invention includes a deployment code and corresponding deployment parameters at the time of contract creation.
As a further improvement, the purpose of the invention to replace contract creation information is to circumvent contract invocation authority control and alter attack profit addresses. The addresses to be replaced are the attack initiator address and the attack winner address in the contract or in the transaction invocation parameter.
As a further improvement, the main method for replacing the contract configuration code in the contract creation information, that is, the address information related to the operation code in the contract bytecode, is replaced, and the address information related to the operation code in the contract configuration parameter is also replaced.
As a further improvement, the new contract deployment transactions and invocation transactions constructed in accordance with the present invention use the replaced contract creation information, including the contract deployment transactions and the contract invocation transactions.
As a further improvement, the new contract deployment transaction and the call transaction constructed by the invention use the gasoline consumption limit which is greater than or equal to the original transaction, and use the transaction fee price which is greater than the original transaction.
As a further improvement, the invention rechecks the log of the new contract deployment transaction and the execution result of the call transaction acquired from the block link point, constructs a transaction fund transfer table, and confirms whether the replaced new address is a profit address in the transfer table.
The invention also discloses a transaction blocking device aiming at the intelligent contract vulnerability attack, which comprises:
the communication unit is used for communicating with the block chain nodes, receiving the attack transaction to be processed and the execution result thereof, acquiring contract creation information, and sending a new constructed contract deployment transaction and a call transaction;
the transfer table construction unit is used for extracting transaction log information, filtering transfer events and constructing a fund transfer table of a transaction;
the address determination unit is used for determining a final transaction profit address according to the constructed fund transfer table;
the contract replacing unit is used for replacing address information in the contract deployment code and the deployment parameter according to the acquired contract creating information and constructing new contract creating information;
and the transaction construction unit is used for constructing a new contract deployment transaction and a call transaction according to the constructed contract creation information.
The invention has the following beneficial effects:
(1) The scheme for effectively solving the problem of defense deployment in the distributed system is provided
The invention provides a scheme for realizing attack blocking deployment in a distributed system such as an EtherFang by broadcasting blocking transactions with higher transaction fee price in a time window of seconds from the broadcast to the uplink of the transactions by utilizing the transaction sequencing characteristic of 'bidding sequencing' in the EtherFang consensus protocol. The scheme follows an EtherFang consensus protocol, and can effectively solve the problem that a centralized deployment scheme in the traditional security field is not suitable for a distributed system.
(2) Effectively utilize the short time window
The invention realizes the rapid construction of the blocking transaction pair by directly utilizing the attack contract of the original attacker, and can effectively utilize the time window of seconds from the broadcasting to the uplink of the transaction.
(3) An effective and automatic transaction replacement strategy is provided
In the invention, the direct utilization of the attack logic in the attack contract is realized by replacing and modifying the authority control and the profit address in the original contract of the attacker, the specific logic in the attack transaction is not required to be identified, and the problem that the complicated attack behavior can not be blocked because the attack logic is not accurately identified is solved.
(4) Effectively reduces the cost required by attack blocking
In the invention, before the new blocking transaction is formally sent, the advance verification of the chain whether the profit address is transferred or not is carried out, thereby avoiding the fund loss problem caused by the failure of profit transfer.
Drawings
FIG. 1 is a schematic flow diagram of a transaction blocking method of the present invention;
FIG. 2 is a schematic illustration of an asset transfer scenario in a transaction;
FIG. 3 is a schematic diagram of the design of the transaction blocking device of the present invention;
Detailed Description
The invention records a transaction blocking method aiming at intelligent contract attack, and realizes effective blocking of attack transaction by utilizing the original attack contract of an attacker. As shown in fig. 1, the method comprises the following steps:
step 1, receiving classified attack transactions.
And 2, extracting the log information in the transaction and filtering out the transfer events in the transaction.
Field(s) Use of
From Transaction initiator
To Transaction destination address
Nonce The transaction is the second transaction of the initiator, preventing replay
GasPrice Unit GAS price the initiator is willing to pay most
GasLimit Trading the highest number of GAS that can be consumed
Value Ether number of transaction transfers, unit Wei
ChainID Block chain ID of exchange, preventing replay
Data Invocation parameters for transactions
The basic structure of the Ether house transaction is shown in the table above, and includes basic information such as an initiator of the transaction, a target address, a calling parameter, a transfer Ether number and the like, and also includes additional information such as transaction fee limit, transaction fee price and the like of the transaction. Thus the transfer of Ether can be easily obtained through the Value field of the transaction.
Figure BDA0003844626460000061
But in the etherhouse blockchain, there is another very popular asset standard, the ERC-20 asset standard. As shown in the above figure, the ERC-20 asset standard realizes the self-defined assets in the chain by defining a series of interface functions including functions of transferring accounts, inquiring balance, approving and the like and recording states through intelligent contracts. The unified standard allows assets that are compliant with the ERC-20 standard to all operate using unified code. The security of any homogeneous asset operating with the ERC-20 standard can be guaranteed by virtue of the security of the ethernet network. The ERC-20 asset standard greatly reduces the threshold for asset operation compared to traditional self-built public chains.
Figure BDA0003844626460000062
In order to be able to accurately capture the transfer of ERC-20 assets in a transaction, it is necessary to use a receipt generated after the transaction has been performed. Since the calling information generated in the transaction execution process is not saved in the execution receipt, all log information generated by the intelligent contract is saved in the receipt of the transaction in order to obtain the result and the state of contract execution by a linked program. In the ERC-20 asset standard, two log information are defined for transfer and approval as shown in the above figure.
The transfer log information therein may be effective to determine the transfer of ERC-20 assets in a transaction. However, in an actual transaction receipt, the name and parameter type of the journal are not recorded, and only the Topic of the journal can be used for positioning. The Topic of the log is a hash value calculated according to the name and the parameter type of the log, and has uniqueness, so that an event that the Topic is 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef in the transaction needs to be filtered out, namely all transfer records in the transaction are obtained.
And 3, establishing a transaction fund transfer table according to the transfer event, and positioning the final fund inflow address as an attack profit gaining address.
To elaborate on the construction of the transaction fund flow table, it should be understood that the following detailed description is provided in terms of the accompanying drawings and preferred embodiments, and that the specific embodiments described herein are intended to illustrate, but not limit the invention.
Taking the transaction in fig. 2 as an example, the transfer operation actually completed is that 10 AAA assets are transferred to the address B by the address a, and 4 AAA assets are transferred to the address C by the address B, and then a transaction fund flow table is constructed according to profit and loss of each address after the transaction is completed, as shown in table 1.
Address Assets Profit and loss
A AAA -10
B AAA +6
C AAA +4
TABLE 1
Then in that transaction the final funds inflow addresses are the B and C addresses.
And 4, acquiring the creation information of the intelligent contract called by the attack exchange, wherein the creation information comprises a deployment code and corresponding deployment parameters when the contract is created.
And 5, replacing address information in the contract deployment code and the deployment parameter according to the acquired contract creation information so as to bypass contract calling authority control and change the attack profit address.
In order to prevent other people from directly using deployed or undeployed contract byte codes, an attacker generally records a caller address allowing to call a contract in the contract, and if the caller address is inconsistent with a profit address, the attacker also records the corresponding profit address, so that the addresses in the original contract creation information are replaced, and the purposes of bypassing contract authority control and transferring attack profits can be achieved.
The data recorded in the contract is generally replaced by two ways, namely hard coding the address in byte codes and storing the address in the contract state, and the invention provides two different methods for the two different situations.
For the case of hard-coded addresses in the bytecode. The EVM operation code data acquired by the contract at the time of execution includes the corresponding address information. And thus the address appears in plaintext in the corresponding EVM instruction. The contract deployment code in the contract creation information, i.e. the contract bytecode, contains all the EVM instructions that may be executed in the contract, so that in the case of hard-coded addresses in the bytecode, all the addresses in the bytecode that need to be replaced need only be replaced with new addresses.
For the case where the address is stored in a contracted state.
Etherhouses allow intelligent contracts to store contract state data in the form of key-value pairs, each key-value pair allowing the use of a 32-byte key for a 32-byte data. In the common intelligent contract programming language identity, the essence of storing a variable on a chain is to split or expand its value into one or more key value pairs for storage.
Figure BDA0003844626460000081
A common attack contract with authority control is shown in the above diagram, in which the contract owner address is stored in the state, and before the attack function is triggered, whether the current caller is consistent with the previously stored contract owner is compared, and if not, the transaction is rolled back.
When the attack contract is compiled by a compiler, the initialized assignment for the owner variable is automatically converted by the compiler to be part of the deployment parameters. In EVM, the SSTORE opcode is used to store the state, so the initialization assignment is translated to an SSTORE instruction. The SSTORE opcode receives two arguments, the first of which is a key, which is noted here as the first variable in the contract and is therefore 0x0, and the value is the contract owner address we need to replace. In order to replace contract owner information, both an attack transaction caller address and a profit address in acquired contract deployment parameters need to be replaced by a controlled new address, and modification of data stored in a contract state can be achieved.
In addition to the owner address being built into the contract code in the attack contract, the attacker may also take the owner address as a constructor parameter and pass in at the time of contract creation. But the owner address that is passed in this way is also present in the contract deployment parameter and can be effectively replaced using the method described above.
And 6, using the replaced contract creation information to construct a new contract deployment transaction and a call transaction, wherein the new transaction needs to use a transaction fee higher than that of the original attack transaction.
And splicing the replaced contract deployment information, namely the deployment parameters and the contract source codes to obtain new contract deployment data. In an ethernet network, a transaction with an empty destination address is defined as a contract deployment transaction. And constructing a transaction with an empty destination address by using the new contract deployment data to obtain a new contract deployment transaction.
Since the profit address and the controller address may also be present in the transaction data of the contract-invoked transaction, i.e. passed as parameters to the attack function, the transaction data of the contract-invoked transaction may also need to be replaced and used to construct a new contract-invoked transaction.
According to the etherhouse network consensus protocol, the block producer typically orders transactions from high to low in terms of transaction fee prices (Gas Price) when ordering transactions among blocks. Transactions that are ranked first in the block are executed first, and thus later transactions may be affected by the status of the earlier transactions. Since the attack transaction is broadcast to the uplink for a certain time interval, the broadcast to the transaction during the time interval may be packaged with the attack transaction in the same block. If the transaction fee price is higher than the original attack transaction, the alternative transactions are sequenced before the original attack transaction, so that the original attack transaction is effectively blocked.
And 7, submitting the new transaction to the blockchain node, acquiring an execution result of the blockchain node, and confirming that the attack profit address in the execution result is transferred to a new address.
And resubmitting the constructed new transaction to the blockchain node to obtain receipt information after the transaction is executed. And (4) reconstructing the transaction fund flow table according to the method in the step (3), and if the profit of the replaced new address in the transaction fund flow table is positive, considering that the attack profit is effectively transferred.
And 8, broadcasting the constructed new transaction to the block chain nodes.
The invention also comprises a transaction blocking device aiming at the intelligent contract vulnerability attack. As shown in fig. 3, the main units are as follows:
and the communication unit is used for communicating with the block chain nodes, receiving the attack transaction to be processed and the execution result thereof, acquiring contract creation information and sending a constructed new transaction.
The communication unit communicates with the blockchain nodes by using a WebSocket protocol, and the long connection between the communication unit and the blockchain nodes can be kept by using the WebSocket protocol, so that the real-time performance of transaction pushing is ensured. And the block chain node pushes basic information of the transaction in the current memory pool, a receipt generated by execution and the like to the communication unit through a protocol, and the communication unit calls the flow conversion table construction unit for further processing. The communication unit also supports communication with the common block chain nodes through an HTTP protocol, and transaction submission and basic state acquisition are carried out by using an RPC interface provided by the common block chain nodes.
And the transfer table construction unit is used for extracting transaction log information, filtering transfer events and constructing a fund transfer table of the transaction.
Figure BDA0003844626460000101
The flow table building unit runs in a multithreading mode to improve the transaction processing efficiency. It receives the pending transaction from the communication unit and deserializes the transaction data. The parsed transaction infrastructure is shown in the above figure. In the basic structure, a Logs field records all log information generated in transaction execution, and all transfer data are filtered out by screening events corresponding to ERC-20 transfer from the Logs field.
And traversing all transfer information after obtaining the transfer information, recording the loss of the transferor in each transfer, recording the profit of the transferor, and finally obtaining a transaction fund transfer table containing the profit and loss information of each address.
And the address determining unit is used for determining a final transaction profit address according to the constructed fund transfer table.
And the address determination unit traverses the transaction fund transfer table and marks the address with the asset profit. If there is only a single winning address, the winning address needs to be replaced with the address. If there are multiple profit addresses, the profit addresses need to be replaced with multiple addresses.
And the contract replacing unit is used for replacing address information in the contract deployment code and the deployment parameter according to the acquired contract creation information and constructing new contract creation information.
The contract replacement unit inquires contract creation information corresponding to the contract address from the file node or the database, and replaces the deployment code and the deployment parameter in the contract creation information according to the replacement strategy in the method to obtain new contract creation information.
And the transaction construction unit is used for constructing a new contract deployment transaction and a call transaction according to the constructed contract creation information.
The transaction construction unit is responsible for constructing and signing new transactions. The transaction data generated by the contract replacement unit needs to be combined with the transaction fee limit, the transaction fee price and the like to form a complete transaction. Because the method of the invention directly uses the logic in the attack contract, the transaction fee consumption is basically consistent with the original contract, and the transaction fee limit can be set to be consistent with or slightly enlarged by the original contract. To obtain priority uplink access, the transaction fee price needs to be higher than the original transaction. In order to improve the success rate, a higher transaction fee price than the highest price in the current block link point memory pool is generally selected for broadcasting.
After the structured transaction data are determined, the transaction construction unit serializes the transaction data by using the RLP codes to obtain transaction original data, and submits the transaction original data to the block chain node.
In order to verify the technical effects achieved by the technical solutions described in the present invention in practical applications, the inventors conducted the following experiments.
The inventor selects a public chain Ethernet (ETH) and a coin security intelligent chain (BSC) with the total locking bin amount of DeFi of 1 month in 2022 as the first and the second respectively for deployment of the blocking device. Among them, the ETH chain uses a common recognition mechanism of workload attestation (PoW), and the block-out interval is about 13 seconds. The BSC chain uses a consensus mechanism of proof of entitlement (PoS) with a block out interval of about 3 seconds. The BSC and the ETH are both intelligent contract platform chains based on an Ethernet Virtual Machine (EVM), are similar in ecology on the chains and are different only in a consensus mechanism, so that the blocking method and the blocking device provided by the invention can be used.
Since the deployment of the blocking device in 1 month 2022, the present invention has successfully blocked 7-up-chain attack events, blocking transactions from gaining more than 400 million dollars. The above earnings have been fully credited to the original project party or user. Details of successful blockade cases from 7 are shown in table 2.
Figure BDA0003844626460000111
Figure BDA0003844626460000121
TABLE 2
Currently, the average time for the system to process a transaction is 242965ns, i.e., about 4665 transactions per second can be processed. According to the calculation of the current intelligent chain of the currency security with the highest throughput, 700 transactions can be packaged in each block when congestion occurs, the block time interval is 3s, and 233 transactions can be processed in each second on average, so that the processing time of the blocking device can completely meet the requirements of the current block chain performance.
To sum up, in the invention, 1) the blocking method requires a small amount of computation, can generate the alternative transaction in a short time, effectively utilizes the transient time window from broadcast to uplink of the attack transaction 2) and replaces the profit address and the authority control address of the original contract of the attacker, bypasses the authority control and profit setting in the original contract of the attacker, can effectively utilize the original attack logic, improves the success rate of constructing the alternative transaction, solves the problem that the attack logic is difficult to analyze in the attack blocking 3) verifies the execution result of the alternative transaction in advance under the link, ensures that the uplink transaction can realize profit transfer, and avoids unnecessary economic loss.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and although the invention has been described in detail with reference to the foregoing examples, it will be apparent to those skilled in the art that various changes in the form and details of the embodiments may be made and equivalents may be substituted for elements thereof. All modifications, equivalents and the like which come within the spirit and principle of the invention are intended to be included within the scope of the invention.

Claims (10)

1. A transaction blocking method aiming at intelligent contract vulnerability attack is characterized in that,
receiving attack transactions in a memory pool provided by a blockchain node;
extracting log information in the attack transaction, and filtering out transfer events in the log information;
establishing a transaction fund transfer table according to the transfer event, and positioning a final fund inflow address as an attack profit address;
acquiring contract creation information of an intelligent contract called by an attack exchange;
replacing the contract deployment code and the address information in the deployment parameter according to the acquired contract creation information;
using the replaced contract creation information to construct a new contract deployment transaction and a call transaction;
deploying the new contract into a transaction and calling a transaction submitting block chain node to obtain an execution result of the new contract;
broadcasting the constructed new contract deployment transaction and the invocation transaction to the block link points if the execution result shows that the profit has been transferred to the replaced address.
2. The transaction blocking method for a smart contract vulnerability attack as recited in claim 1, wherein the transfer events include basic asset transfers by transaction Value domain analysis and ERC-20 asset transfers by analyzing specific Topic transfer events in ERC-20 standards.
3. The transaction blocking method aiming at the intelligent contract vulnerability attack according to claim 1, wherein the construction method of the transaction fund flow table is that all transfer records in the transaction are traversed, the loss of a transferor in each transfer is counted, and the profit of the transferor is counted; the contents of the transaction fund transfer table are profit and loss information of each address involved in the transaction.
4. The transaction blocking method for a smart contract vulnerability attack according to claim 1, wherein the method of locating the final funds inflow address is selecting one or more addresses from a transaction funds inflow table at which assets will eventually flow in.
5. The transaction blocking method for intelligent contract vulnerability attacks according to claim 1, wherein the contract creation information comprises deployment codes and corresponding deployment parameters when a contract is created.
6. The transaction blocking method for intelligent contract vulnerability attacks according to claim 1, wherein the purpose of replacing the contract creation information is to bypass contract invocation authority control and change attack profit addresses. The addresses to be replaced are the attack initiator address and the attack winner address in the contract or in the transaction invocation parameter.
7. The transaction blocking method for the intelligent contract vulnerability attack according to claim 6, wherein the main method for replacing is to replace the contract deployment code in the contract creation information, namely, the address information related to the operation code in the contract bytecode, and also to replace the address information related to the operation code in the contract deployment parameter.
8. The transaction blocking method for intelligent contract vulnerability attacks according to claim 1, wherein the constructed new contract deployment transaction and invocation transaction use the replaced contract creation information, including the contract deployment transaction and the contract invocation transaction, and both use the resource consumption limit greater than or equal to the original transaction and the transaction fee price greater than the original transaction.
9. The transaction blocking method for the intelligent contract vulnerability attack according to claim 1, wherein for the execution results of the new contract deployment transaction and the call transaction acquired from the block link point, the logs are rechecked, a transaction fund transfer table is constructed, and whether the replaced new address is a profit address in the transfer table is confirmed.
10. A transaction blocking device aiming at intelligent contract vulnerability attack is characterized in that,
the communication unit is used for communicating with the block chain nodes, receiving the attack transaction to be processed and the execution result thereof, acquiring contract creation information, and sending a new constructed contract deployment transaction and a call transaction;
the transfer table construction unit is used for extracting transaction log information, filtering transfer events and constructing a fund transfer table of a transaction;
the address determination unit is used for determining a final transaction profit address according to the constructed fund transfer table;
the contract replacing unit is used for replacing address information in the contract deployment code and the deployment parameter according to the acquired contract creating information and constructing new contract creating information;
and the transaction construction unit is used for constructing a new contract deployment transaction and a call transaction according to the constructed contract creation information.
CN202211113706.XA 2022-09-14 2022-09-14 Transaction blocking method and device for intelligent contract vulnerability attack Pending CN115442380A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211113706.XA CN115442380A (en) 2022-09-14 2022-09-14 Transaction blocking method and device for intelligent contract vulnerability attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211113706.XA CN115442380A (en) 2022-09-14 2022-09-14 Transaction blocking method and device for intelligent contract vulnerability attack

Publications (1)

Publication Number Publication Date
CN115442380A true CN115442380A (en) 2022-12-06

Family

ID=84246488

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211113706.XA Pending CN115442380A (en) 2022-09-14 2022-09-14 Transaction blocking method and device for intelligent contract vulnerability attack

Country Status (1)

Country Link
CN (1) CN115442380A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116663012A (en) * 2023-05-31 2023-08-29 烟台大学 Cross-contract vulnerability detection method, system and equipment
CN116743499A (en) * 2023-08-09 2023-09-12 杭州安碣信息安全科技有限公司 Imitation transaction generation method for intelligent contract attack

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116663012A (en) * 2023-05-31 2023-08-29 烟台大学 Cross-contract vulnerability detection method, system and equipment
CN116663012B (en) * 2023-05-31 2023-11-03 烟台大学 Cross-contract vulnerability detection method, system and equipment
CN116743499A (en) * 2023-08-09 2023-09-12 杭州安碣信息安全科技有限公司 Imitation transaction generation method for intelligent contract attack
CN116743499B (en) * 2023-08-09 2023-10-27 杭州安碣信息安全科技有限公司 Imitation transaction generation method for intelligent contract attack

Similar Documents

Publication Publication Date Title
Saad et al. Exploring the attack surface of blockchain: A systematic overview
Saad et al. Exploring the attack surface of blockchain: A comprehensive survey
Zhou et al. Sok: Decentralized finance (defi) attacks
Chauhan et al. Blockchain and scalability
US11188977B2 (en) Method for creating commodity assets from unrefined commodity reserves utilizing blockchain and distributed ledger technology
CN115442380A (en) Transaction blocking method and device for intelligent contract vulnerability attack
CN108881187A (en) A kind of across chain data transferring method and equipment suitable for permitting chain scene
Kipchuk et al. Assessing Approaches of IT Infrastructure Audit
CN108009818B (en) Online payment method and system based on distributed network
Piet et al. Extracting godl [sic] from the salt mines: Ethereum miners extracting value
CN111738724B (en) Cross-border resource transfer authenticity auditing method and device, and electronic equipment
CN111639125A (en) Resource circulation method and device based on block chain
Lee et al. Who Spent My {EOS}? On the ({In) Security} of Resource Management of {EOS. IO}
CN111861440A (en) Bank transfer method and system based on block chain network
CN111667270A (en) Region-based digital currency using method and device and electronic equipment
Hrga et al. Technical analysis of an initial coin offering
Qin et al. The blockchain imitation game
CN111667271A (en) Digital currency using method and device based on region and time and electronic equipment
Garcia Bringas et al. BlockChain platforms in financial services: current perspective
Li et al. Protect your smart contract against unfair payment
Ainsworth et al. A VATCoin Solution to MTIC Fraud: Past Efforts, Present Technology, and the EU’s 2017 Proposal
Wüst et al. Bitcontracts: Supporting smart contracts in legacy blockchains
US20230061813A1 (en) Systems and methods for programmable payments enabled by triggers based on mutual validation
Hefny et al. Open Banking API Framework to Improve the Online Transaction between Local Banks in Egypt Using Blockchain Technology
Yu et al. State synchronization in process-oriented chaincode

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination